cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1865
Views
0
Helpful
6
Replies

Source routing?

rsamuel708
Level 1
Level 1

Is there a way to send traffic from a particular subnet, 172.22.0.0/16 for example, to a particular server for a specific service?

I'll explain more, at my organization the security guys use Trend Micros as our virus/trojan protection etc. We currently have just one server, but they are adding two more and would like to know if we could put policy in place to send particular traffic to a given server for just Trend Micros traffic. This is currently done with the one server with a registry edit pointing to the server.

I know we could implement this with a L4 load-balancing product, but is there a way to direct traffic similarly without it to that level of detail?

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Yes, you can use PBR

Source = 172.22.0.0/16

Destination server(s) = 192.168.5.10, 192.168.5.20

service = TCP 4400

access-list 101 permit tcp 172.22.0.0 0.0.255.255 host 192.168.5.10 eq 4400

access-list 101 permit tcp 172.22.0.0 0.0.255.255 host 192.168.5.20 eq 4400

route-map PBR permit 10

match ip address 101

set ip next-hop x.x.x.x

int fa0/0

ip policy route-map PBR

Notes

1) the next-hop must be reachable from this router

2) fa0/0 in the above example is the interface on which packets with a source address of 172.22.x.x arrive.

Jon

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Yes, you can use PBR

Source = 172.22.0.0/16

Destination server(s) = 192.168.5.10, 192.168.5.20

service = TCP 4400

access-list 101 permit tcp 172.22.0.0 0.0.255.255 host 192.168.5.10 eq 4400

access-list 101 permit tcp 172.22.0.0 0.0.255.255 host 192.168.5.20 eq 4400

route-map PBR permit 10

match ip address 101

set ip next-hop x.x.x.x

int fa0/0

ip policy route-map PBR

Notes

1) the next-hop must be reachable from this router

2) fa0/0 in the above example is the interface on which packets with a source address of 172.22.x.x arrive.

Jon

So, port 4400 in your example would be the port Trend listens on, so any other traffic from these subnets would not match, fall out of the route-map, and be routed as normal?

Just making sure I understand the flow.

"So, port 4400 in your example would be the port Trend listens on, so any other traffic from these subnets would not match, fall out of the route-map, and be routed as normal?"

Exactly.

Jon

Jon,

I have about 12 source submits that need to be directed to different servers. Should I be able to combine the acl like below? Also, 2 of the servers hang off the same switch so should I be able to use the same route map?

;GMC

access-list 101 permit tcp 172.22.0.0 0.0.255.255 eq

;DH

access-list 101 permit tcp 172.28.0.0 0.0.255.255 eq

;DMH

access-list 101 permit tcp 172.26.0.0 0.0.255.255 eq

;RMH

access-list 101 permit tcp 172.25.0.0 0.0.255.255 eq

;WMC

access-list 101 permit tcp 172.30.0.0 0.0.255.255 eq

;CBO

access-list 101 permit tcp 192.168.2.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.10.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.11.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.12.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.13.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.14.0 0.255.255.255 eq

;CBO

access-list 101 permit tcp 192.168.15.0 0.255.255.255 eq

!

route-map server01-pbr permit 10

match ip address 101

set ip next-hop x.x.x.x

!

route-map server02-pbr permit 15

match ip address 101

set ip next-hop x.x.x.x

!

route-map server03-pbr permit 20

match ip address 101

set ip next-hop x.x.x.x

!

"I have about 12 source submits that need to be directed to different servers. Should I be able to combine the acl like below?"

Yes you can do this. Bear in mind that you need to apply the policy route-map under the interface(s) on the router where the source traffic will arrive.

Jon

Great!Got it...Thanks for the great info.

Robert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco